|  | /* | 
|  | ------- Strong random data generation on a Macintosh (pre - OS X) ------ | 
|  |  | 
|  | --	GENERAL: We aim to generate unpredictable bits without explicit | 
|  | user interaction. A general review of the problem may be found | 
|  | in RFC 1750, "Randomness Recommendations for Security", and some | 
|  | more discussion, of general and Mac-specific issues has appeared | 
|  | in "Using and Creating Cryptographic- Quality Random Numbers" by | 
|  | Jon Callas (www.merrymeet.com/jon/usingrandom.html). | 
|  |  | 
|  | The data and entropy estimates provided below are based on my | 
|  | limited experimentation and estimates, rather than by any | 
|  | rigorous study, and the entropy estimates tend to be optimistic. | 
|  | They should not be considered absolute. | 
|  |  | 
|  | Some of the information being collected may be correlated in | 
|  | subtle ways. That includes mouse positions, timings, and disk | 
|  | size measurements. Some obvious correlations will be eliminated | 
|  | by the programmer, but other, weaker ones may remain. The | 
|  | reliability of the code depends on such correlations being | 
|  | poorly understood, both by us and by potential interceptors. | 
|  |  | 
|  | This package has been planned to be used with OpenSSL, v. 0.9.5. | 
|  | It requires the OpenSSL function RAND_add. | 
|  |  | 
|  | --	OTHER WORK: Some source code and other details have been | 
|  | published elsewhere, but I haven't found any to be satisfactory | 
|  | for the Mac per se: | 
|  |  | 
|  | * The Linux random number generator (by Theodore Ts'o, in | 
|  | drivers/char/random.c), is a carefully designed open-source | 
|  | crypto random number package. It collects data from a variety | 
|  | of sources, including mouse, keyboard and other interrupts. | 
|  | One nice feature is that it explicitly estimates the entropy | 
|  | of the data it collects. Some of its features (e.g. interrupt | 
|  | timing) cannot be reliably exported to the Mac without using | 
|  | undocumented APIs. | 
|  |  | 
|  | * Truerand by Don P. Mitchell and Matt Blaze uses variations | 
|  | between different timing mechanisms on the same system. This | 
|  | has not been tested on the Mac, but requires preemptive | 
|  | multitasking, and is hardware-dependent, and can't be relied | 
|  | on to work well if only one oscillator is present. | 
|  |  | 
|  | * Cryptlib's RNG for the Mac (RNDMAC.C by Peter Gutmann), | 
|  | gathers a lot of information about the machine and system | 
|  | environment. Unfortunately, much of it is constant from one | 
|  | startup to the next. In other words, the random seed could be | 
|  | the same from one day to the next. Some of the APIs are | 
|  | hardware-dependent, and not all are compatible with Carbon (OS | 
|  | X). Incidentally, the EGD library is based on the UNIX entropy | 
|  | gathering methods in cryptlib, and isn't suitable for MacOS | 
|  | either. | 
|  |  | 
|  | * Mozilla (and perhaps earlier versions of Netscape) uses the | 
|  | time of day (in seconds) and an uninitialized local variable | 
|  | to seed the random number generator. The time of day is known | 
|  | to an outside interceptor (to within the accuracy of the | 
|  | system clock). The uninitialized variable could easily be | 
|  | identical between subsequent launches of an application, if it | 
|  | is reached through the same path. | 
|  |  | 
|  | * OpenSSL provides the function RAND_screen(), by G. van | 
|  | Oosten, which hashes the contents of the screen to generate a | 
|  | seed. This is not useful for an extension or for an | 
|  | application which launches at startup time, since the screen | 
|  | is likely to look identical from one launch to the next. This | 
|  | method is also rather slow. | 
|  |  | 
|  | * Using variations in disk drive seek times has been proposed | 
|  | (Davis, Ihaka and Fenstermacher, world.std.com/~dtd/; | 
|  | Jakobsson, Shriver, Hillyer and Juels, | 
|  | www.bell-labs.com/user/shriver/random.html). These variations | 
|  | appear to be due to air turbulence inside the disk drive | 
|  | mechanism, and are very strongly unpredictable. Unfortunately | 
|  | this technique is slow, and some implementations of it may be | 
|  | patented (see Shriver's page above.) It of course cannot be | 
|  | used with a RAM disk. | 
|  |  | 
|  | --	TIMING: On the 601 PowerPC the time base register is guaranteed | 
|  | to change at least once every 10 addi instructions, i.e. 10 | 
|  | cycles. On a 60 MHz machine (slowest PowerPC) this translates to | 
|  | a resolution of 1/6 usec. Newer machines seem to be using a 10 | 
|  | cycle resolution as well. | 
|  |  | 
|  | For 68K Macs, the Microseconds() call may be used. See Develop | 
|  | issue 29 on the Apple developer site | 
|  | (developer.apple.com/dev/techsupport/develop/issue29/minow.html) | 
|  | for information on its accuracy and resolution. The code below | 
|  | has been tested only on PowerPC based machines. | 
|  |  | 
|  | The time from machine startup to the launch of an application in | 
|  | the startup folder has a variance of about 1.6 msec on a new G4 | 
|  | machine with a defragmented and optimized disk, most extensions | 
|  | off and no icons on the desktop. This can be reasonably taken as | 
|  | a lower bound on the variance. Most of this variation is likely | 
|  | due to disk seek time variability. The distribution of startup | 
|  | times is probably not entirely even or uncorrelated. This needs | 
|  | to be investigated, but I am guessing that it not a majpor | 
|  | problem. Entropy = log2 (1600/0.166) ~= 13 bits on a 60 MHz | 
|  | machine, ~16 bits for a 450 MHz machine. | 
|  |  | 
|  | User-launched application startup times will have a variance of | 
|  | a second or more relative to machine startup time. Entropy >~22 | 
|  | bits. | 
|  |  | 
|  | Machine startup time is available with a 1-second resolution. It | 
|  | is predictable to no better a minute or two, in the case of | 
|  | people who show up punctually to work at the same time and | 
|  | immediately start their computer. Using the scheduled startup | 
|  | feature (when available) will cause the machine to start up at | 
|  | the same time every day, making the value predictable. Entropy | 
|  | >~7 bits, or 0 bits with scheduled startup. | 
|  |  | 
|  | The time of day is of course known to an outsider and thus has 0 | 
|  | entropy if the system clock is regularly calibrated. | 
|  |  | 
|  | --	KEY TIMING: A  very fast typist (120 wpm) will have a typical | 
|  | inter-key timing interval of 100 msec. We can assume a variance | 
|  | of no less than 2 msec -- maybe. Do good typists have a constant | 
|  | rhythm, like drummers? Since what we measure is not the | 
|  | key-generated interrupt but the time at which the key event was | 
|  | taken off the event queue, our resolution is roughly the time | 
|  | between process switches, at best 1 tick (17 msec). I  therefore | 
|  | consider this technique questionable and not very useful for | 
|  | obtaining high entropy data on the Mac. | 
|  |  | 
|  | --	MOUSE POSITION AND TIMING: The high bits of the mouse position | 
|  | are far from arbitrary, since the mouse tends to stay in a few | 
|  | limited areas of the screen. I am guessing that the position of | 
|  | the mouse is arbitrary within a 6 pixel square. Since the mouse | 
|  | stays still for long periods of time, it should be sampled only | 
|  | after it was moved, to avoid correlated data. This gives an | 
|  | entropy of log2(6*6) ~= 5 bits per measurement. | 
|  |  | 
|  | The time during which the mouse stays still can vary from zero | 
|  | to, say, 5 seconds (occasionally longer). If the still time is | 
|  | measured by sampling the mouse during null events, and null | 
|  | events are received once per tick, its resolution is 1/60th of a | 
|  | second, giving an entropy of log2 (60*5) ~= 8 bits per | 
|  | measurement. Since the distribution of still times is uneven, | 
|  | this estimate is on the high side. | 
|  |  | 
|  | For simplicity and compatibility across system versions, the | 
|  | mouse is to be sampled explicitly (e.g. in the event loop), | 
|  | rather than in a time manager task. | 
|  |  | 
|  | --	STARTUP DISK TOTAL FILE SIZE: Varies typically by at least 20k | 
|  | from one startup to the next, with 'minimal' computer use. Won't | 
|  | vary at all if machine is started again immediately after | 
|  | startup (unless virtual memory is on), but any application which | 
|  | uses the web and caches information to disk is likely to cause | 
|  | this much variation or more. The variation is probably not | 
|  | random, but I don't know in what way. File sizes tend to be | 
|  | divisible by 4 bytes since file format fields are often | 
|  | long-aligned. Entropy > log2 (20000/4) ~= 12 bits. | 
|  |  | 
|  | --	STARTUP DISK FIRST AVAILABLE ALLOCATION BLOCK: As the volume | 
|  | gets fragmented this could be anywhere in principle. In a | 
|  | perfectly unfragmented volume this will be strongly correlated | 
|  | with the total file size on the disk. With more fragmentation | 
|  | comes less certainty. I took the variation in this value to be | 
|  | 1/8 of the total file size on the volume. | 
|  |  | 
|  | --	SYSTEM REQUIREMENTS: The code here requires System 7.0 and above | 
|  | (for Gestalt and Microseconds calls). All the calls used are | 
|  | Carbon-compatible. | 
|  | */ | 
|  |  | 
|  | /*------------------------------ Includes ----------------------------*/ | 
|  |  | 
|  | #include "Randomizer.h" | 
|  |  | 
|  | // Mac OS API | 
|  | #include <Files.h> | 
|  | #include <Folders.h> | 
|  | #include <Events.h> | 
|  | #include <Processes.h> | 
|  | #include <Gestalt.h> | 
|  | #include <Resources.h> | 
|  | #include <LowMem.h> | 
|  |  | 
|  | // Standard C library | 
|  | #include <stdlib.h> | 
|  | #include <math.h> | 
|  |  | 
|  | /*---------------------- Function declarations -----------------------*/ | 
|  |  | 
|  | // declared in OpenSSL/crypto/rand/rand.h | 
|  | extern "C" void RAND_add (const void *buf, int num, double entropy); | 
|  |  | 
|  | unsigned long GetPPCTimer (bool is601);	// Make it global if needed | 
|  | // elsewhere | 
|  |  | 
|  | /*---------------------------- Constants -----------------------------*/ | 
|  |  | 
|  | #define kMouseResolution 6		// Mouse position has to differ | 
|  | // from the last one by this | 
|  | // much to be entered | 
|  | #define kMousePositionEntropy 5.16	// log2 (kMouseResolution**2) | 
|  | #define kTypicalMouseIdleTicks 300.0	// I am guessing that a typical | 
|  | // amount of time between mouse | 
|  | // moves is 5 seconds | 
|  | #define kVolumeBytesEntropy 12.0	// about log2 (20000/4), | 
|  | // assuming a variation of 20K | 
|  | // in total file size and | 
|  | // long-aligned file formats. | 
|  | #define kApplicationUpTimeEntropy 6.0	// Variance > 1 second, uptime | 
|  | // in ticks | 
|  | #define kSysStartupEntropy 7.0		// Entropy for machine startup | 
|  | // time | 
|  |  | 
|  |  | 
|  | /*------------------------ Function definitions ----------------------*/ | 
|  |  | 
|  | CRandomizer::CRandomizer (void) | 
|  | { | 
|  | long	result; | 
|  |  | 
|  | mSupportsLargeVolumes = | 
|  | (Gestalt(gestaltFSAttr, &result) == noErr) && | 
|  | ((result & (1L << gestaltFSSupports2TBVols)) != 0); | 
|  |  | 
|  | if (Gestalt (gestaltNativeCPUtype, &result) != noErr) | 
|  | { | 
|  | mIsPowerPC = false; | 
|  | mIs601 = false; | 
|  | } | 
|  | else | 
|  | { | 
|  | mIs601 = (result == gestaltCPU601); | 
|  | mIsPowerPC = (result >= gestaltCPU601); | 
|  | } | 
|  | mLastMouse.h = mLastMouse.v = -10;	// First mouse will | 
|  | // always be recorded | 
|  | mLastPeriodicTicks = TickCount(); | 
|  | GetTimeBaseResolution (); | 
|  |  | 
|  | // Add initial entropy | 
|  | AddTimeSinceMachineStartup (); | 
|  | AddAbsoluteSystemStartupTime (); | 
|  | AddStartupVolumeInfo (); | 
|  | AddFiller (); | 
|  | } | 
|  |  | 
|  | void CRandomizer::PeriodicAction (void) | 
|  | { | 
|  | AddCurrentMouse (); | 
|  | AddNow (0.0);	// Should have a better entropy estimate here | 
|  | mLastPeriodicTicks = TickCount(); | 
|  | } | 
|  |  | 
|  | /*------------------------- Private Methods --------------------------*/ | 
|  |  | 
|  | void CRandomizer::AddCurrentMouse (void) | 
|  | { | 
|  | Point mouseLoc; | 
|  | unsigned long lastCheck;	// Ticks since mouse was last | 
|  | // sampled | 
|  |  | 
|  | #if TARGET_API_MAC_CARBON | 
|  | GetGlobalMouse (&mouseLoc); | 
|  | #else | 
|  | mouseLoc = LMGetMouseLocation(); | 
|  | #endif | 
|  |  | 
|  | if (labs (mLastMouse.h - mouseLoc.h) > kMouseResolution/2 && | 
|  | labs (mLastMouse.v - mouseLoc.v) > kMouseResolution/2) | 
|  | AddBytes (&mouseLoc, sizeof (mouseLoc), | 
|  | kMousePositionEntropy); | 
|  |  | 
|  | if (mLastMouse.h == mouseLoc.h && mLastMouse.v == mouseLoc.v) | 
|  | mMouseStill ++; | 
|  | else | 
|  | { | 
|  | double entropy; | 
|  |  | 
|  | // Mouse has moved. Add the number of measurements for | 
|  | // which it's been still. If the resolution is too | 
|  | // coarse, assume the entropy is 0. | 
|  |  | 
|  | lastCheck = TickCount() - mLastPeriodicTicks; | 
|  | if (lastCheck <= 0) | 
|  | lastCheck = 1; | 
|  | entropy = log2l | 
|  | (kTypicalMouseIdleTicks/(double)lastCheck); | 
|  | if (entropy < 0.0) | 
|  | entropy = 0.0; | 
|  | AddBytes (&mMouseStill, sizeof (mMouseStill), entropy); | 
|  | mMouseStill = 0; | 
|  | } | 
|  | mLastMouse = mouseLoc; | 
|  | } | 
|  |  | 
|  | void CRandomizer::AddAbsoluteSystemStartupTime (void) | 
|  | { | 
|  | unsigned long	now;		// Time in seconds since | 
|  | // 1/1/1904 | 
|  | GetDateTime (&now); | 
|  | now -= TickCount() / 60;	// Time in ticks since machine | 
|  | // startup | 
|  | AddBytes (&now, sizeof (now), kSysStartupEntropy); | 
|  | } | 
|  |  | 
|  | void CRandomizer::AddTimeSinceMachineStartup (void) | 
|  | { | 
|  | AddNow (1.5);			// Uncertainty in app startup | 
|  | // time is > 1.5 msec (for | 
|  | // automated app startup). | 
|  | } | 
|  |  | 
|  | void CRandomizer::AddAppRunningTime (void) | 
|  | { | 
|  | ProcessSerialNumber PSN; | 
|  | ProcessInfoRec		ProcessInfo; | 
|  |  | 
|  | ProcessInfo.processInfoLength = sizeof (ProcessInfoRec); | 
|  | ProcessInfo.processName = nil; | 
|  | ProcessInfo.processAppSpec = nil; | 
|  |  | 
|  | GetCurrentProcess (&PSN); | 
|  | GetProcessInformation (&PSN, &ProcessInfo); | 
|  |  | 
|  | // Now add the amount of time in ticks that the current process | 
|  | // has been active | 
|  |  | 
|  | AddBytes (&ProcessInfo, sizeof (ProcessInfoRec), | 
|  | kApplicationUpTimeEntropy); | 
|  | } | 
|  |  | 
|  | void CRandomizer::AddStartupVolumeInfo (void) | 
|  | { | 
|  | short			vRefNum; | 
|  | long			dirID; | 
|  | XVolumeParam	pb; | 
|  | OSErr			err; | 
|  |  | 
|  | if (!mSupportsLargeVolumes) | 
|  | return; | 
|  |  | 
|  | FindFolder (kOnSystemDisk, kSystemFolderType, kDontCreateFolder, | 
|  | &vRefNum, &dirID); | 
|  | pb.ioVRefNum = vRefNum; | 
|  | pb.ioCompletion = 0; | 
|  | pb.ioNamePtr = 0; | 
|  | pb.ioVolIndex = 0; | 
|  | err = PBXGetVolInfoSync (&pb); | 
|  | if (err != noErr) | 
|  | return; | 
|  |  | 
|  | // Base the entropy on the amount of space used on the disk and | 
|  | // on the next available allocation block. A lot else might be | 
|  | // unpredictable, so might as well toss the whole block in. See | 
|  | // comments for entropy estimate justifications. | 
|  |  | 
|  | AddBytes (&pb, sizeof (pb), | 
|  | kVolumeBytesEntropy + | 
|  | log2l (((pb.ioVTotalBytes.hi - pb.ioVFreeBytes.hi) | 
|  | * 4294967296.0D + | 
|  | (pb.ioVTotalBytes.lo - pb.ioVFreeBytes.lo)) | 
|  | / pb.ioVAlBlkSiz - 3.0)); | 
|  | } | 
|  |  | 
|  | /* | 
|  | On a typical startup CRandomizer will come up with about 60 | 
|  | bits of good, unpredictable data. Assuming no more input will | 
|  | be available, we'll need some more lower-quality data to give | 
|  | OpenSSL the 128 bits of entropy it desires. AddFiller adds some | 
|  | relatively predictable data into the soup. | 
|  | */ | 
|  |  | 
|  | void CRandomizer::AddFiller (void) | 
|  | { | 
|  | struct | 
|  | { | 
|  | ProcessSerialNumber psn;	// Front process serial | 
|  | // number | 
|  | RGBColor	hiliteRGBValue;	// User-selected | 
|  | // highlight color | 
|  | long		processCount;	// Number of active | 
|  | // processes | 
|  | long		cpuSpeed;	// Processor speed | 
|  | long		totalMemory;	// Total logical memory | 
|  | // (incl. virtual one) | 
|  | long		systemVersion;	// OS version | 
|  | short		resFile;	// Current resource file | 
|  | } data; | 
|  |  | 
|  | GetNextProcess ((ProcessSerialNumber*) kNoProcess); | 
|  | while (GetNextProcess (&data.psn) == noErr) | 
|  | data.processCount++; | 
|  | GetFrontProcess (&data.psn); | 
|  | LMGetHiliteRGB (&data.hiliteRGBValue); | 
|  | Gestalt (gestaltProcClkSpeed, &data.cpuSpeed); | 
|  | Gestalt (gestaltLogicalRAMSize, &data.totalMemory); | 
|  | Gestalt (gestaltSystemVersion, &data.systemVersion); | 
|  | data.resFile = CurResFile (); | 
|  |  | 
|  | // Here we pretend to feed the PRNG completely random data. This | 
|  | // is of course false, as much of the above data is predictable | 
|  | // by an outsider. At this point we don't have any more | 
|  | // randomness to add, but with OpenSSL we must have a 128 bit | 
|  | // seed before we can start. We just add what we can, without a | 
|  | // real entropy estimate, and hope for the best. | 
|  |  | 
|  | AddBytes (&data, sizeof(data), 8.0 * sizeof(data)); | 
|  | AddCurrentMouse (); | 
|  | AddNow (1.0); | 
|  | } | 
|  |  | 
|  | //-------------------  LOW LEVEL --------------------- | 
|  |  | 
|  | void CRandomizer::AddBytes (void *data, long size, double entropy) | 
|  | { | 
|  | RAND_add (data, size, entropy * 0.125);	// Convert entropy bits | 
|  | // to bytes | 
|  | } | 
|  |  | 
|  | void CRandomizer::AddNow (double millisecondUncertainty) | 
|  | { | 
|  | long time = SysTimer(); | 
|  | AddBytes (&time, sizeof (time), log2l (millisecondUncertainty * | 
|  | mTimebaseTicksPerMillisec)); | 
|  | } | 
|  |  | 
|  | //----------------- TIMING SUPPORT ------------------ | 
|  |  | 
|  | void CRandomizer::GetTimeBaseResolution (void) | 
|  | { | 
|  | #ifdef __powerc | 
|  | long speed; | 
|  |  | 
|  | // gestaltProcClkSpeed available on System 7.5.2 and above | 
|  | if (Gestalt (gestaltProcClkSpeed, &speed) != noErr) | 
|  | // Only PowerPCs running pre-7.5.2 are 60-80 MHz | 
|  | // machines. | 
|  | mTimebaseTicksPerMillisec =  6000.0D; | 
|  | // Assume 10 cycles per clock update, as in 601 spec. Seems true | 
|  | // for later chips as well. | 
|  | mTimebaseTicksPerMillisec = speed / 1.0e4D; | 
|  | #else | 
|  | // 68K VIA-based machines (see Develop Magazine no. 29) | 
|  | mTimebaseTicksPerMillisec = 783.360D; | 
|  | #endif | 
|  | } | 
|  |  | 
|  | unsigned long CRandomizer::SysTimer (void)	// returns the lower 32 | 
|  | // bit of the chip timer | 
|  | { | 
|  | #ifdef __powerc | 
|  | return GetPPCTimer (mIs601); | 
|  | #else | 
|  | UnsignedWide usec; | 
|  | Microseconds (&usec); | 
|  | return usec.lo; | 
|  | #endif | 
|  | } | 
|  |  | 
|  | #ifdef __powerc | 
|  | // The timebase is available through mfspr on 601, mftb on later chips. | 
|  | // Motorola recommends that an 601 implementation map mftb to mfspr | 
|  | // through an exception, but I haven't tested to see if MacOS actually | 
|  | // does this. We only sample the lower 32 bits of the timer (i.e. a | 
|  | // few minutes of resolution) | 
|  |  | 
|  | asm unsigned long GetPPCTimer (register bool is601) | 
|  | { | 
|  | cmplwi	is601, 0	// Check if 601 | 
|  | bne	_601		// if non-zero goto _601 | 
|  | mftb  	r3		// Available on 603 and later. | 
|  | blr			// return with result in r3 | 
|  | _601: | 
|  | mfspr r3, spr5  	// Available on 601 only. | 
|  | // blr inserted automatically | 
|  | } | 
|  | #endif |